This is the accessible text file for GAO report number GAO-10-727T entitled 'Information Security: Veterans Affairs Needs to Resolve Long- Standing Weaknesses' which was released on May 19, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs, U.S. House of Representatives: United States Government Accountability Office: GAO: For Release on Delivery: Expected at 10:00 a.m. EDT: Wednesday, May 19, 2010: Information Security: Veterans Affairs Needs to Resolve Long-Standing Weaknesses: Statement of Gregory C. Wilshusen: Director, Information Security Issues: Valerie C. Melvin: Director, Information Management and Human Capital Issues: GAO-10-727T: GAO Highlights: Highlights of GAO-10-727T, a testimony before the Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs, U.S. House of Representatives. Why GAO Did This Study: Since 1997, GAO has identified information security as a governmentwide high-risk issue. This has been particularly true at the Department of Veterans Affairs (VA), where the department has been challenged in protecting the availability, confidentiality, and integrity of its information and systems. Since the 1990s, GAO has highlighted the challenges the department has faced, including the need to safeguard personal information. GAO was asked to testify on VA’s progress in implementing information security and the department’s compliance with the Federal Information Security Management Act of 2002 (FISMA), a comprehensive framework for securing federal information resources. In preparing this testimony, GAO analyzed prior GAO, Office of Management and Budget, VA Office of Inspector General, and VA reports related to the department’s information security program. What GAO Found: VA has made limited progress in resolving long-standing deficiencies in securing its information and systems. In September 2007 and also March 2010, GAO reported that VA had begun or had continued work on several initiatives to strengthen information security practices, but that shortcomings in the implementation of those initiatives could limit their effectiveness. VA has also consistently had weaknesses in major information security control areas. As shown in the table below, VA was deficient in each of five major categories of information security controls as defined in the GAO Federal Information System Controls Audit Manual. Table: Control Weaknesses for Fiscal Years 2006-2009: Security Control Category: Access control; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Security Control Category: Configuration management; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Security Control Category: Segregation of duties; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Security Control Category: Contingency planning; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Security Control Category: Security management; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Source: GAO analysis based on VA and Inspector General reports. [End of table] Further, in VA’s fiscal year 2009 performance and accountability report, the independent auditor stated that, while VA continued to make progress, IT security and control weaknesses remained pervasive and continued to place VA’s program and financial data at risk. The independent auditor also noted that VA’s controls over its financial systems constituted a material weakness (a significant deficiency that can result in an undetected material misstatement of the department’s financial statements.) Since 2006, VA’s progress in fully implementing the information security program required under FISMA has been mixed. For example, from 2006 to 2009, the department reported a dramatic increase in the percentage of systems for which a contingency plan was tested. However, during the same period, the department reported a decrease in the percentage of employees who had received security awareness training. Until VA fully and effectively implements a comprehensive information security program and mitigates known security vulnerabilities, its computer systems and sensitive information (including personal information of veterans and their beneficiaries) will remain exposed to an unnecessary and increased risk of unauthorized use, disclosure, tampering, theft, and destruction. What GAO Recommends: In previous reports over the past several years, GAO has made numerous recommendations to VA aimed at improving the effectiveness of the department’s efforts to strengthen information security practices and to ensure that security issues are adequately addressed. View [hyperlink, http://www.gao.gov/products/GAO-10-727T] or key components. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Valerie C. Melvin at (202) 512- 6304 or melvinv@gao.gov. [End of section] Mr. Chairman and Members of the Subcommittee: Thank you for inviting us to participate in today's hearing on information security at the Department of Veterans Affairs (VA). Since 1997, we have identified information security as a governmentwide high- risk issue and emphasized its importance in protecting the availability, confidentiality, and integrity of the information residing on federal information systems.[Footnote 1] Since the 1990s, we have highlighted challenges the department has faced, including the need to safeguard personal information. In our testimony today, we will discuss VA's progress in implementing information security and the department's compliance with the Federal Information Security Management Act of 2002 (FISMA).[Footnote 2] In preparing this testimony, we analyzed prior GAO, Office of Management and Budget (OMB), VA Office of Inspector General (OIG), and VA reports related to the department's information security program for fiscal years 2006 through 2009. We conducted our review from April to May 2010 in the Washington, D.C., area in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on our audit objectives. Background: VA's mission is to promote the health, welfare, and dignity of all veterans in recognition of their service to the nation by ensuring that they receive medical care, benefits, social support, and memorials. According to recent information from the Department of Veterans Affairs, its employees maintain the largest integrated health care system in the nation for more than 5.6 million patients, provide compensation and pension benefits for nearly 4 million veterans and beneficiaries, and maintain nearly 3 million gravesites at 163 properties. The use of IT is crucial to the department's ability to provide these benefits and services, but without adequate protections, VA's systems and information are vulnerable to those with malicious intentions who wish to exploit the information. To help protect against threats to federal systems, FISMA sets forth a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets. The framework creates a cycle of risk management activities necessary for an effective security program. In order to ensure the implementation of this framework, FISMA assigns responsibilities to OMB that include developing and overseeing the implementation of policies, principles, standards, and guidelines on information security and reviewing and approving or disapproving agency information security programs, at least annually. It also assigns specific responsibilities to agency heads, chief information officers, inspectors general, and the National Institute of Standards and Technology (NIST), in particular requiring chief information officers and inspectors general to submit annual reports to OMB. In addition, Congress enacted the Veterans Benefits, Health Care, and Information Technology Act of 2006,[Footnote 3] after a serious loss of data earlier that year revealed weaknesses in VA's handling of personal information. Under the act, VA's Chief Information Officer is responsible for establishing, maintaining, and monitoring departmentwide information security policies, procedures, control techniques, training, and inspection requirements as elements of the department's information security program. It also reinforced the need for VA to establish and carry out the responsibilities outlined in FISMA, and included provisions to further protect veterans and service members from the misuse of their sensitive personal information and to inform Congress regarding security incidents involving the loss of that information. VA Has Made Limited Progress in Addressing Information Security Weaknesses: For over a decade, VA has faced long-standing information security weaknesses as identified by GAO, the VA's OIG, and by the department itself. These weaknesses have left VA vulnerable to disruptions in critical operations, theft, fraud, and inappropriate disclosure of sensitive information. VA's efforts to address these deficiencies have had limited progress to date. In September 2007, we reported that VA had begun or had continued several initiatives to strengthen information security practices within the department, but that shortcomings with the implementation of those initiatives could limit their effectiveness.[Footnote 4] At that time, we made 17 recommendations for improving the department's information security practices. We verified that VA had implemented five of those recommendations, including developing guidance for the information security program and documenting related responsibilities. VA has efforts under way to address 11 of the remaining 12 recommendations. These efforts include ensuring remedial action items are completed in an effective and timely manner, implementing guidance on encryption, and developing and documenting procedures to obtain contact information for individuals whose personal information has been compromised in a security breach. We plan to assess whether the department's actions substantially implement these 11 recommendations, and whether VA is now taking action on the twelfth recommendation to maintain an accurate inventory of all IT equipment that has encryption installed. In March 2010, we reported[Footnote 5] that federal agencies, including VA, had made limited progress in implementing the Federal Desktop Core Configuration (FDCC) initiative to standardize settings on workstations.[Footnote 6] We determined that VA had implemented certain requirements of the initiative, such as documenting deviations from the standardized set of configuration settings for Windows workstations and putting a policy in place to officially approve these deviations. However, VA had not fully implemented several key requirements. For example, the department had not included language in contracts to ensure that new acquisitions address the settings and that products of IT providers operate effectively using them. Additionally, VA had not obtained a NIST-validated tool to monitor implementation of standardized workstation configuration settings. To improve the department's implementation of the initiative, we made four recommendations: (1) complete implementation of VA's baseline set of configuration settings, (2) acquire and deploy a tool to monitor compliance with FDCC, (3) develop, document, and implement a policy to monitor compliance, and (4) ensure that FDCC settings are included in new acquisitions and that products operate effectively using these settings. VA concurred with all of our recommendations and indicated that it plans to implement them by September 2010. VA Continues to Report Significant Information Security Shortcomings: Information security remains a long-standing challenge for the department. In 2009, for the 13th year in a row, VA's independent auditor reported that inadequate information system controls over financial systems constituted a material weakness.[Footnote 7] Among 24 major federal agencies, VA was one of six agencies in fiscal year 2009 to report such a material weakness. VA's independent auditor stated that while the department continued to make steady progress, IT security and control weaknesses remained pervasive and placed VA's program and financial data at risk. The auditor noted the following weaknesses: * Passwords for key VA network domains and financial applications were not consistently configured to comply with agency policy. * Testing of contingency plans for financial management systems at selected facilities was not routinely performed and documented to meet the requirements of VA policy. * Many IT security control deficiencies were not analyzed and remediated across the agency and a large backlog of deficiencies remained in the VA plan of action and milestones system. In addition, previous plans of action and milestones were closed without sufficient and documented support for the closure. In addition, VA has consistently had weaknesses in major information security control areas. As shown in table 1, for fiscal years 2006 through 2009, deficiencies were reported in each of the five major categories of information security controls[Footnote 8] as defined in our Federal Information System Controls Audit Manual.[Footnote 9] Table 1: Control Weaknesses for Fiscal Years 2006-2009: Security Control Category: Access control; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Security Control Category: Configuration management; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Security Control Category: Segregation of duties; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Security Control Category: Contingency planning; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Security Control Category: Security management; 2006: [Check]; 2007: [Check]; 2008: [Check]; 2009: [Check]. Source: GAO analysis based on VA and Inspector General reports. [End of table] In fiscal year 2009, for the 10th year in a row, the VA OIG designated VA's information security program and system security controls as a major management challenge for the department. Of 24 major federal agencies, the department was 1 of 20 to have information security designated as a major management challenge. The OIG noted that the department had made progress in implementing components of an agencywide information security program, but nevertheless continued to identify major IT security deficiencies in the annual information security program audits. To assist the department in improving its information security, the OIG made recommendations for strengthening access controls, configuration management, change management, and service continuity. Effective implementation of these recommendations could help VA to prevent, limit, and detect unauthorized access to computerized networks and systems and help ensure that only authorized individuals can read, alter, or delete data. The need to implement effective security is clear given the history of security incidents at the department. VA has reported an increasing number of security incidents and events over the last few years. Each year during fiscal years 2007 through 2009, the department reported a higher number of incidents and the highest number of incidents in comparison to 23 other major federal agencies. VA's Uneven Implementation of FISMA Limits the Effectiveness of Security Efforts: FISMA requires each agency, including agencies with national security systems, to develop, document, and implement an agencywide information security program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. As part of its oversight responsibilities, OMB requires agencies to report on specific performance measures, including the percentage of: * employees and contractors receiving IT security awareness training, and those who have significant security responsibilities and have received specialized security training, * systems whose controls were tested and evaluated, have tested contingency plans, and are certified and accredited.[Footnote 10] Since fiscal year 2006, VA's progress in fully implementing the information security program required under FISMA and following the policies issued by OMB has been mixed. For example, from 2006 to 2009, the department has reported a dramatic increase in the percentage of systems for which a contingency plan was tested in accordance with OMB policy. However, during the same period, it reported decreases in both the percentage of employees who had received security awareness training and the percentage of employees with significant security responsibilities who had received specialized security training (see figure 1). These decreases in the percentage of individuals who had received information security training could limit the ability of VA to effectively implement security measures. Figure 1: VA Key Performance Measures for Fiscal Years 2006-2009: [Refer to PDF for image: multiple vertical bar graph] Selected performance measure: Security awareness training; FY 2006: 99%; FY 2007: 95%; FY 2008: 84%; FY 2009: 67%. Selected performance measure: Specialized security training; FY 2006: 100%; FY 2007: 100%; FY 2008: 89%; FY 2009: 84%. Selected performance measure: Periodic testing and evaluation; FY 2006: 100%; FY 2007: 100%; FY 2008: 96%; FY 2009: 96%. Selected performance measure: Tested contingency plans; FY 2006: 36%; FY 2007: 25%; FY 2008: 82%; FY 2009: 93%. Selected performance measure: Certification and accreditation; FY 2006: 100%; FY 2007: 97%; FY 2008: 100%; FY 2009: 94%. Source: GAO analysis of agency data. [End of figure] For fiscal year 2009, in comparison to 23 other major federal agencies, VA's efforts to implement these information security control activities were equal to or higher in some areas and lower in others. For example, VA reported equal or higher percentages than other federal agencies in the number of systems for which security controls had been tested and reviewed in the past year, the number of systems for which contingency plans had been tested in accordance with OMB policy, and the number of systems that had been certified and accredited. However, VA reported lower percentages of individuals who received security awareness training and lower percentages of individuals with significant security responsibilities who received specialized security training (see figure 2). Figure 2: Comparison VA to Governmentwide Performance for Fiscal Year 2009: [Refer to PDF for image: multiple vertical bar graph] Selected performance measure: Security awareness training; VA: 67%; 23 major federal agencies: 91%. Selected performance measure: Specialized security training; VA: 84%; 23 major federal agencies: 90%. Selected performance measure: Periodic testing and evaluation; VA: 96%; 23 major federal agencies: 89%. Selected performance measure: Tested contingency plans; VA: 93%; 23 major federal agencies: 86%. Selected performance measure: Certification and accreditation; VA: 94%; 23 major federal agencies: 94%. Source: GAO analysis of agency data. [End of figure] In summary, effective information security controls are essential to securing the information systems and information on which VA depends to carry out its mission. The department continues to face challenges in resolving long-standing weaknesses in its information security controls and in fully implementing the information security program required under FISMA. Overcoming these challenges will require sustained leadership, management commitment, and effective oversight. Until VA fully and effectively implements a comprehensive information security program and mitigates known security vulnerabilities, its computer systems and sensitive information (including personal information of veterans and their beneficiaries) will remain exposed to an unnecessary and increased risk of unauthorized use, disclosure, tampering, theft, and destruction. Mr. Chairman, this concludes our statement today. We would be happy to answer any questions you or other members of the subcommittee may have. Contacts and Acknowledgments: If you have any questions concerning this statement, please contact Gregory C. Wilshusen, Director, Information Security Issues, at (202) 512-6244, wilshuseng@gao.gov, or Valerie C. Melvin, Director, Information Management and Human Capital Issues, at (202) 512-6304, melvinv@gao.gov. Other individuals who made key contributions include Charles Vrabel and Anjalique Lawrence (assistant directors), Nancy Glover, Mary Marshall, and Jayne Wilson. [End of section] Footnotes: [1] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 2009) and Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-09-546] (Washington, D.C.: July 17, 2009). [2] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No.107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). [3] Veterans Benefits, Health Care, and Information Technology Act of 2006, Pub. L. No. 109-461, 120 Stat. 3403, 3450 (Dec. 22, 2006). [4] GAO, Information Security: Sustained Management Commitment and Oversight Are Vital to Resolving Long-standing Weaknesses at the Department of Veterans Affairs, [hyperlink, http://www.gao.gov/products/GAO-07-1019] (Washington, D.C.: Sep. 7, 2007). [5] GAO, Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements, [hyperlink, http://www.gao.gov/products/GAO-10-202] (Washington, D.C.: March 12, 2010). [6] In March 2007 the Office of Management and Budget (OMB) launched the Federal Desktop Core Configuration initiative to standardize and strengthen information security at federal agencies. Under the initiative agencies were to implement a standardized set of configuration settings on workstations with Microsoft Windows XP or Vista operating systems. OMB intended that by implementing the initiative, agencies would establish a baseline level of information security, reduce threats and vulnerabilities, and improve protection of information and related assets. [7] A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected by the entity's internal control. [8] Access controls ensure that only authorized individuals can read, alter, or delete data; configuration management controls provide assurance that only authorized software programs are implemented; segregation of duties reduces the risk that one individual can independently perform inappropriate actions without detection; continuity of operations planning provides for the prevention of significant disruptions of computer-dependent operations; and an agencywide information security program provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented. [9] GAO, Federal Information System Controls Audit Manual (FISCAM), [hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: Feb. 2009). [10] Certification is a comprehensive assessment of management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision to authorize operation of an information system and to explicitly accept the risk to agency operations based on implementation of controls. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: